Query Details

DISCOVERY Obsolete Device Connecting To Entra

Query

// DISCOVERY: Obsolete device connecting to Entra
// https://www.linkedin.com/posts/activity-7222163567834230785-BgVr/

// Detect unpatched Windows 10 and 11 clients connecting to your Entra tenant via AADSTS5000611 (Symmetric Key Derivation Function version 'KDFV1' is invalid)

union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs
| where ResultType != 0 and ResultDescription == "Other"
| where ResultType == "500061"
| distinct Category, Identity


// MITRE ATT&CK Mapping

// Based on the KQL query, the following MITRE ATT&CK techniques are relevant:

// T1078 - Valid Accounts:
// This technique involves adversaries using valid accounts to gain access to systems. The query focuses on non-successful sign-ins, which could indicate attempts to use valid accounts with // incorrect credentials or other issues.
// T1110 - Brute Force:
// The query could be used to detect brute force attempts where multiple sign-in attempts fail. Filtering by ResultType != 0 and specific ResultType == "500061" can help identify such patterns.
// T1556 - Modify Authentication Process:
// The query looks at non-interactive user sign-ins, which could be related to attempts to modify or bypass the authentication process.

Explanation

This query is designed to identify obsolete Windows 10 and 11 devices that are attempting to connect to your Entra tenant using an outdated authentication method. It specifically looks for failed sign-in attempts (ResultType != 0) with a particular error code (500061), which indicates an issue with the Symmetric Key Derivation Function version 'KDFV1'. The query checks both interactive and non-interactive sign-in logs to find distinct categories and identities associated with these failed attempts.

The query is relevant to certain MITRE ATT&CK techniques:

  1. T1078 - Valid Accounts: It highlights the use of valid accounts, focusing on failed sign-ins that might indicate attempts to access systems with incorrect credentials.

  2. T1110 - Brute Force: It can help detect brute force attempts by identifying patterns of multiple failed sign-ins with the specific error code.

  3. T1556 - Modify Authentication Process: It examines non-interactive sign-ins, which could suggest attempts to alter or bypass the authentication process.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

SigninLogsAADNonInteractiveUserSignInLogsCategoryIdentity

Operators

unionisfuzzywhere!===distinct

MITRE Techniques

Actions

GitHub